Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-5794: Nessus 5.2.9 scan vulnerability, flagging 'server signing' port 445 required for Samba

Centrify DirectControl ,   Centrify DirectControl Plugins ,  

15 October,15 at 12:11 AM

Applies to:

Centrify DirectControl with Centrify Samba 4.5.9 on All Linux Servers
 

Problem:

While running a third party scanning tool called Nessus 5.2.9 for audit purposes on a host with Centrify DirectControl and Centrify Samba, it flag an alert that signing is set to not required on the remote SMB server (see attached output).
 

Cause:

If host settings in smb.conf is set to ‘server signing = disabled’, signing is not required on the remote SMB server which can allow man-in-the-middle attacks against the SMB server.

 
Workaround:
See Resolution.

 
Resolution:
  • Edit smb.conf and modify/add the parameter ‘server signing = mandatory’ and ‘smb encrypt = auto’.
 
The above settings will configure samba to always require its clients to generate a signature on the SMB packets, and the samba server will then do the same.
 
  • Restart samba service.
# /etc/init.d/centrifydc-samba restart
 
  • Re-run adbindproxy.pl.
# /usr/share/centrifydc/bin/adbindproxy.pl
 
  • Re-run Nessus scan.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.